Friday, January 30, 2015

A newly vulnerability in Linux’s GNU C Library (glibc) being called “Ghost” gives attackers the ability to execute malicious code on servers used to deliver email, host webpages and carry out other vital functions. A patch was issued two years ago but most Linux versions used in production systems remained unprotected.

Adobe has issued another emergency update to fix a critical security flaw that is being actively exploited in its Flash Player software. As of January 27, updates are available for Flash Player on Windows and Mac OS X. Adobe is working with its distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11.

The Malaysia Airlines website was attacked and the company issued a statement saying its DNS was compromised and users were being redirected to fake website on January 26. Malaysia Airlines said its servers were intact and user data was secure. Lizard Squad, one of the groups claiming responsibility claimed it would release data “soon.”

A recently identified phishing email is designed to prey on parents’ fear of their child’s safety. The malicious email’s subject line reads “Alert: There is a child predator living near you!” The email contains a link that brings the victim to a legitimate website while simultaneously infecting the victims’ device with malware.

Mozilla products, including its FireFox browser will soon stop trusting an unknown number of SSL certificates that were issued using old root CA certificates with 1024-bit RSA keys. This move is part of Mozilla’s effort to force certificate authorities and their customers to stop using 1024-bit certificates which are cryptographically unsafe because of advances in computing power.

Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter@FidSecSys and don’t forget to share articles you think should be in next week’s Scoop using #CyberScoop!

Friday, January 23, 2015

This Week in Cybersecurity News

Oracle released its quarterly patch update for Java which included fixes for at least nineteen security vulnerabilities. Oracle also announced that it has started using the auto-upgrade function to migrate Java 7 users to Java 8.

The customer database of Lizard Squad maintained as part of their DDoS-for-hire service has been breached, compromising the registered names, and plain text passwords of over 14,241 users. The compromised data shows that customers deposited $11,000 in bitcoins to pay for DDoS attacks on thousands of Internet addresses.

The Angler Exploit Kit has started targeting a new vulnerability in Adobe Flash Player. The malicious payload isn’t being used by all Angler instances but at least one instance is targeting version 16.0.0.257, the current release. The new payload appears to focus on Internet Explorer.

“123456” and “password” retain the top spot in SplashData’s annual worst password list for the fourth year in a row. The list is created by compiling sets of credentials leaked online. This year’s study looked at more than 3.3 million leaked passwords. The top twenty-five passwords represented 2.2% of exposed passwords.

Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter@FidSecSys and don’t forget to share articles you think should be in next week’s Scoop using#CyberScoop!

Tuesday, January 20, 2015

(This article was originally written by Jim Jaeger for Third Certainty and was published on January 14, 2015)

According to urban legend, early 20th century bank robber Willie Sutton once said that he robs banks because, “that’s where the money is.” When you think about it in the context of the recent spate of hacks on retailers – ranging from Target to Home Depot to Kmart – this makes sense. After all, that’s where the credit cards are.

Of course, this is not strictly true. While credit cards are used at retail locations, the data is rarely stored there. In actuality, the data is with the issuers and processors, which handle the information associated with hundreds of millions of credit cards. However, issuers and processers have really stepped up their IT security over the past five years, making their networks much more difficult to hack.

Once it was discovered that these companies had hardened their security, the hackers moved downstream to retailers and their POS terminals. Many retailers have not been able to quickly invest in the sophisticated security tools that the issuers and processors have increasingly employed, so there has been an increase in successful attacks in the retail industry.

Sophisticated hacking tools such as RAM scrapers capture encrypted credit card data during that brief moment when they are decrypted, processed and re-encrypted. These tools were developed to hit the big credit card processors and retailers that lack a strong security posture. Because they are harder to detect, RAM scrapers have made it easier, faster and safer to hack into the network of retailers and push malware to a large number of stores and terminals.

Industries often learn from their mistakes, forcing hackers to move on to the next set of targets as previous victims employ a broader, hardened security posture.

This begs the question: where will hackers go next? Regardless of their motivation (financial, political, etc.), information is currency to hackers–and hackers follow the money. Organizations with large amounts of information–credit card account numbers, personally identifying information and valuable intellectual property–are common targets.

Hackers will follow the information and access is crucial. A targeted organization might not have sought-after information. But it might provide access to an organization that does. This means that third party partners and vendors with lagging security postures will continue to be used as entry points by hackers.

It’s more important than ever – regardless of industry – for organizations to ensure that they have the technology, tools and educated staff in place to prevent a breach, as well as a plan of action should the bad guys find their way in.

Organizations need to assess their overall security hygiene. Hackers look for the easiest entry point. So organizations that don’t enforce basic best practices, such as patching and employee education related to phishing schemes and social engineering, will easily fall victim.

Imagine Sutton walking into an empty bank that left the vault open with money ready for the taking. That may be how your network is looking to a hacker.

You never know when you might be next on a hacker’s list and you don’t want that day to be the first day you think about security! Start talking about your security posture now – before it’s too late.

Friday, January 16, 2015

This Week in Cybersecurity News

An attack tool called “Skeleton Key,” residing on a domain controller allowed attackers to log-in to the victim’s network using the identity of any user. Only one case of the malware has been found but evidence points to a more widespread campaign.

As of January 15, threat actors have defaced 19,000 French websites. According to the head of the French Army’s cybersecurity department the attacks have been carried out by some well-known Islamic hacking groups. Hackers affiliated with Anonymous have also launched a campaign against jihadist websites.

The website of the state-run North Korean news agency hosted a malicious file call FlashPlayer10.zip that is served by JavaScript code loaded from kcna.user.exploit.kcmsf. FlashPlayer10.zip contains two malicious executable files that appear to be designed to steal browser passwords.

Zero day vulnerabilities have been disclosed in Corel applications that could potentially affect more than 100 million users. The flaw allows attackers to execute commands by inserting malicious DLL files in Corel program directories.

Mozilla released Firefox 35 on January 13. The new release contains fixes for numerous vulnerabilities, a few of which were deemed critical. There are remaining known vulnerabilities deemed moderate or low impact.

Want to keep up with Cyber Scoop throughout the week? Follow us on Twitter @FidSecSys and don’t forget to share articles you think should be in next week’s Scoop using #CyberScoop!

Friday, January 09, 2015

This Week in Cybersecurity News

A report issued by Germany’s Federal Office for Information Security indicates attackers disrupted the industrial control system of a German steel mill and prevented the blast furnace from properly shutting down resulting in extensive damage.

F.B.I. director, James Comey said that the United States concluded North Korea was behind the attack on Sony Pictures because the hackers had sent the attacks and messages directly from known North Korean I.P. addresses and not decoy servers.

Thursday, January 08, 2015

Earlier this year, PwC issued a report that found that, despite the increasing number of cyber attacks and the increasing amount of monetary and reputational damage these attacks cause, many companies – particularly small businesses – are actually decreasing their cybersecurity budget. Security budgets for companies with less than $100 million in revenue, which is rather shocking considering the number of reported cybersecurity incidents increased by 48 percent – that’s almost 120,000 attacks per day in 2014!

This leaves me scratching my head a bit. It seems that many of these companies, particularly small enterprises, are ignoring cybersecurity, sweeping their security profile under the rug and crossing their fingers. A large part of this may be due to the news cycle. While we’ve all heard about the millions of credits cards that were compromised in the Home Depot, Kmart and Target hacks, there have been far fewer stories surrounding the thousands of smaller retailers that were hit by the Back Off malware, which compromises the credit card information of customers, leaving many smaller enterprises to think they may not be a target.

Cyber criminals are not discriminating. They can and do go after smaller companies with just as much frequency as they go after larger companies. There are two reasons for this:

Smaller companies are gateways to larger companies.

Smaller companies are often vendors providing services to larger companies. Regardless of what these services are, many of them require direct access to the systems of the larger companies. This means that when a smaller company is breached, they can very likely serve as a launching site for a successful attack against a larger company. But in the meantime, the sensitive data of the smaller company is compromised and the cost can be upwards of several million dollars to fix the breach – an expense that can be crippling to a smaller company.

Friday, December 12, 2014

In the recent past, a Fidelis XPS user reported seeing detections of what appeared to be botnet-related malware. While that customer was protected, we at General Dynamics Fidelis Cybersecurity Solutions decided to take a closer look. The analysis of the malicious code revealed that it appeared to be Andromeda but the delivery infrastructure looked interesting. Further telemetry from our sensors showed that this server in China was also hosting and distributing many other malicious specimens. Analysis of the data revealed a pattern in the filenames. Our analysts used this pattern to discover other systems distributed across the globe serving up various botnet malware, so far assumed to be used in distinct campaigns but clearly related in this case:

Andromeda

Beta Bot

Neutrino Bot

NgrBot/DorkBot

Analysis also showed how attackers continue to benefit from the use of globally-distributed hosting providers to perform their malicious activities. Further, the analysis revealed how attackers are hosting and distributing identical copies of the malware from servers in different countries including China, Poland, Russia, and the United States.

For the period of time researched in this activity, we observed the following targeted sectors in the US:

Manufacturing / Biotechnology & Drugs

Professional Services / Engineering

Information Technology / Telecommunications

Government / State

Note that our footprint is largely in the Enterprise space and it is possible that we’re seeing spillover from wider campaigns.

The following diagram illustrates the relationship between some of the malicious servers, malware hosted/distributed, and vertical markets:

The following diagram illustrates the relationship between some of the malicious servers, locations, malware hosted/distributed, and malicious servers to which the malware beacons to with POST requests and to download additional malware:

This document uncovers various servers hosting Bots and other related malware, provides a triage analysis of various pieces of malware hosted by these malicious servers, and provides indicators that network defenders can use to protect their networks.

To see the full report and findings, visit the Fidelis Threat Advisory #1014 here.